Problem with Iptables.

November 18, 2013 55.3k views
Hi. I have a problem with Iptables. I can`t use the command: sudo iptables -L, because the error is: FATAL: Could not load /lib/modules/3.2.0-55-virtual/modules.dep: No such file or directory iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. I have installed on my droplet (system ubuntu 12.04) Zpanel and fail2ban according to this guide: https://digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04 Please, help me. Thank for every piece of advice!
3 comments
17 Answers
@Leandro: You have to install the kernel that you're using:
sudo apt-get install linux-image-$(uname -r)


Once that's done, it should work. If it doesn't, try rebooting your droplet.
  • Thanks. Thats the one i needed.
    it solved my problem.
    Thanks a lot.

    just use the following command guys

    sudo apt-get install linux-image-$(uname -r)
    
You must install the kernel package corresponding to the kernel you set your droplet to boot from (using our control panel).

The problem still exists in the latest version of the kernel selected for a dropbox with Ubuntu 16.04: "Ubuntu 16.04 x64 vmlinuz 4.4.0-28-generic", kernel modules becoming somehow "ephemeral" (disappearing after the reboot) + making the floating IP not working anymore:

# iptables -nvL
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.4.0-28-generic
iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
# uname -a
Linux do1 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:09:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Also I tryed to reinstall the packages linux-image-4.4.0-28-generic & linux-headers-4.4.0-28-generic, but after a reboot (or a cold restart of the droplet), the kernel modules needed for iptables are missing again, having to reinstall them by hand again.

Also, this effect somehow negatively affects the Floating IP, making not forwarding any more packets to the real IP of the droplet, than after I tried to reassing the IP (even with unassing & assing) only syn-packets are seen by the droplet:

# tcpdump -ni ens3 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
01:09:12.412367 IP 46.229.168.74.13662 > 10.19.0.5.80: Flags [S], seq 4276730076, win 29200, options [mss 1460,sackOK,TS val 2958302465 ecr 0,nop,wscale 7], length 0
01:09:12.476775 IP 54.36.149.72.22052 > 10.19.0.5.80: Flags [SEW], seq 3676365313, win 29200, options [mss 1460,sackOK,TS val 523651869 ecr 0,nop,wscale 7], length 0
01:09:12.976502 IP 46.229.168.65.18120 > 10.19.0.5.80: Flags [S], seq 2115694078, win 29200, options [mss 1460,nop,wscale 8], length 0
01:09:13.478790 IP 54.36.149.72.22052 > 10.19.0.5.80: Flags [S], seq 3676365313, win 29200, options [mss 1460,sackOK,TS val 523652120 ecr 0,nop,wscale 7], length 0
01:09:13.997644 IP 46.229.168.65.18120 > 10.19.0.5.80: Flags [S], seq 2115694078, win 29200, options [mss 1460,nop,wscale 8], length 0
01:09:14.656615 IP 46.229.168.79.41028 > 10.19.0.5.80: Flags [S], seq 2031893919, win 29200, options [mss 1460,sackOK,TS val 1861357496 ecr 0,nop,wscale 7], length 0
01:09:15.498728 IP 54.36.149.72.22052 > 10.19.0.5.80: Flags [S], seq 3676365313, win 29200, options [mss 1460,sackOK,TS val 523652625 ecr 0,nop,wscale 7], length 0

Than after a while, these packages are not seen anymore.

There's no firewall configured (after reinstalling the kernel modules by hand, there are no rules):

# apt-get install --reinstall linux-image-generic linux-headers-generic linux-image-`uname -r` linux-headers-`uname -r`
...
# iptables-save 
# Generated by iptables-save v1.6.0 on Tue Jan 16 01:18:13 2018
*raw
:PREROUTING ACCEPT [409:29597]
:OUTPUT ACCEPT [279:41334]
COMMIT
# Completed on Tue Jan 16 01:18:13 2018
# Generated by iptables-save v1.6.0 on Tue Jan 16 01:18:13 2018
*mangle
:PREROUTING ACCEPT [409:29597]
:INPUT ACCEPT [409:29597]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [281:42238]
:POSTROUTING ACCEPT [281:42238]
COMMIT
# Completed on Tue Jan 16 01:18:13 2018
# Generated by iptables-save v1.6.0 on Tue Jan 16 01:18:13 2018
*nat
:PREROUTING ACCEPT [15:753]
:INPUT ACCEPT [15:753]
:OUTPUT ACCEPT [10:886]
:POSTROUTING ACCEPT [10:886]
COMMIT
# Completed on Tue Jan 16 01:18:13 2018
# Generated by iptables-save v1.6.0 on Tue Jan 16 01:18:13 2018
*filter
:INPUT ACCEPT [1460:132563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1196:222500]
COMMIT
# Completed on Tue Jan 16 01:18:13 2018

  • Has anyone solved this issue? I'm running into the same issue phil2k is describing. I'm having problems figuring out the solution.

Did you update your kernel by chance?

I had a similar problem with playing around with new kernel. Any update would break UFW.

Never bothered to try to find correct answer just moved kernel back to default.


In your case it would be 3.2.0-55-virtual
in my case, uname said the kernel is 3.2.0-55-virtual .
and it is 3.2.0-55-virtual in my control panel - settings - kernel.
but still got the error:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
FATAL: Could not load /lib/modules/3.2.0-55-virtual/modules.dep: No such file or directory
iptables v1.4.12: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
oh, I found the problem:
ls /lib/modules/
3.2.0-23-virtual

Hi Will, I´m having the same problem whit the same version, how do I update/upgrade the /lib/modules? In my case under this folder I have two folders (3.2.0-24-virtual and 3.2.0-48-virtual) and I´m using 3.2.0-55-virtual as you...
Kamal Nasser, Thank you for the no hassle solution. It worked, ufw started working again after a reboot.
I'm having the same issue. I've not changed the kernal from what was installed.
I moved it back to the default, but it still doesn't work.

uname -r
3.5.0-17-generic
ls /lib/modules/
drwxr-xr-x 4 root root 4096 May 1 11:03 3.5.0-17-generic

modprobe ip_tables
FATAL: Error inserting ip_tables (/lib/modules/3.5.0-17-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted

FATAL: Error inserting ip_tables (/lib/modules/3.5.0-17-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted
iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
@chas.snider: It sounds like there is a mismatch between the kernel you have installed and the kernel selected in the DigitalOcean panel. Make sure the versions match.

sudo apt-get install linux-image-$(uname -r)

fixed the issue for me

Thanks @Kamal

sudo apt-get install linux-image-$(uname -r)

worked for me also! thanks!

What is the process for a solution for Centos 7?
Looks like I was in panic mode when I posted this question. I did correct the issue by injecting the new kernel from the management section and powered down and back up. Evidently the kernel is independently managed and I did not know that.

Another advice is to try reinstall kernel:
sudo apt-get install --reinstall linux-image-$(uname -r)

Have another answer? Share your knowledge.